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Formal Methods tools will never have as many users as tools for popular programming languages 
and so the effort spent on constructing Integrated Development Environments (IDEs) will be orders 
of magnitudes lower than that of programming languages such as Java. This means newcomers to 
formal methods do not get the same user experience as with their favourite programming IDE. In or¬ 
der to improve this situation it is essential that efforts are combined so it is possible to reuse common 
features and thus not start from scratch every time. This paper presents the Overture platform where 
such a reuse philosophy is present. We give an overview of the platform itself as well as the exten¬ 
sibility principles that enable much of the reuse. The paper also contains several examples platform 
extensions, both in the form of new features and a new IDE supporting a new language. 


1 Introduction 

The Vienna Development Method (VDM) is one of the most mature Formal Methods (FM) |[2^ [TSll . 
The method focuses on the development and analysis of a system model expressed in a formal language. 
The formality of the language enables developers to use a wide range of analytic techniques, from testing 
to mathematical proof, to verify the consistency of a model and its correctness with respect to an existing 
statement of requirements. The VDM modelling language has been gradually extended over time. Its 
most basic form (VDM-SL), standardised by ISO |[29l supports the modelling of the functionality of 
sequential systems. Extensions support object-oriented modelling and concurrency (VDM-i-i-) ifThl . real¬ 
time computations |[3^ and distributed systems (VDM-RT) B3l 1^ . All these dialects of VDM are 
supported by the Overture platform |[^ {^ 

The mission of the Overture open-source project is twofold: 

• To provide an industrial-strength tool that supports the use of precise abstract models in any VDM 
dialect for software development. 

• To foster an environment that allows researchers and other interested parties to experiment with 
modifications and extensions to the tool and the different VDM dialects. 

As is the case with other FM tools, the Overture Integrated Development Environment (IDE) con¬ 
sists of a common Abstract Syntax Tree (AST) representing the model and various plug-ins providing 
the different kinds of analysis available in VDM as shown in fig. [T] The broad variefy of analysis pos¬ 
sible is common in many formal mefhods. In such cases, if is imporfanf fo ensure fhaf all analyses 
are implemented in a consisfenf way fo facililale mainfenance. Such consisfency would also aid in fhe 
developmenf and infegrafion of new functional extensions. 

* See http://overturetool.org 
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Figure 1: Overture Tool Components 


In addition to the above, this platform-based arehitecture allows for the reuse of common features 
across all extensions. This reuse can be taken further by supporting language extensions that would 
allow other formal notations to reuse the same platform. Recently, Overture has been re-factored to 
enable such a reuse (lllIS. The main contribution reported in this paper is the Overture platform itself 
and its extensibility principles which are described in sections]^ andAn extensible platform facilitates 
the development of new features for an IDE and in section]^ we demonstrate how several features of the 
Overture IDE have been developed on top of the platform. Eurthermore, in section we demonstrate 
how the platform has been integrated with an external tool. 

The extensibility principles of the Overture platform also affect the notation itself. The platform 
is capable of supporting a base language (VDM in the case of Overture) as well as multiple notation 
extensions. This allows for the development of IDEs for new notations with heavy reuse of common 
features. Section [^describes one such IDE, which also includes integration with several external tools. 

Open issues remain in the platform, most notably in terms of integration with external tools. Section]^ 
lays out future work for addressing some of these issues and also summarises the paper. It is our hope that 
this paper demonstrates the advantages of platform-based IDE development and that it can be beneficial 
for multiple EM tool builders to share a common platform. 

Other examples of EM platforms with comparable functionalities include the Asmeta tool set for 
ASM 13113, the Rodin platform for Event-B min [141 or TEAToolbox for TEA+ ll28ll4Tl . The extension 
philosophies of the software tools differ as do the actual extensions that are available. A detailed com¬ 
parison is beyond the scope of this article, but more information about these platforms and the modelling 
languages they support can be found by following the references provided. The general philosophy of 
reuse has also been employed effectively for theorem provers l39l . 
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Figure 2: The Overture Platform. 

2 The Overture Platform 

2.1 Overview 

The Overture platform supports the development of FM IDEs. It was originally developed to support 
the development of the Overture IDE for VDM but has since evolved into a more general platform. It is 
comprised of two parts: the Overture Language Core and the Overture Eclipse Extensions, as shown in 

fig- HI 

2.2 Overture Language Core 

The language core encapsulates and handles any language and notation-related concerns, including pars¬ 
ing, representation and analysis, in order to facilitate decoupling between the core language and User 
Interface (UI) implementations. In addition to the general benefits of separation of concerns, the lan¬ 
guage core also opens the possibility of migrating the IDE implementation to another UI technology 
as well as providing the base tool functionalities for command line access, batch processing or as an 
external tool to be accessed by others. 

The language core consists of an extensible AST that is automatically generated by the AstCreator 
tooj^ as well as a parser for constructing the AST from model sources. In addition, AstCreator also 

^See http://github.com/overturetool/astcreator 












































Luis Diogo Couto et. al. 


17 


generates machinery for traversing and processing trees in a consistent way in the form of a visitor 
framework 1211. Any kind of analysis of the AST such as type checking or interpretation should be 
implemented using the visitor framework. 

One of the key features of the language core is its extensibility mechanism which allows language 
extensions or new languages to be implemented in the Overture platform while reusing as much existing 
code as possible. This mechanism is described in further detail in section]^ 


2.3 Overture Eclipse Extensions 

The Overture platform also consists of a set of extensions to the Eclipse Rich Client Platform (RCP) 
that are used to help build the U1 components of the IDE. The Eclipse RCP is a generic framework for 
building rich client applications using the Eclipse OSGi plug-in model and U1 toolkits. It is is powerful 
and generic but comes with a cost: significant amounts of boilerplate source code and configuration files 
musf be wrillen in order fo prepare if fo build an IDE. 

The Overfure Eclipse exfensions automate some of fhe configuralion and preparafion work by provid¬ 
ing fhe aforementioned boilerplafe code fargefing EM nofafions. The exfensions provides an exfensible 
applicafion framework on fop of fhe RCP. If significanfly reduces fhe amounf of code fhaf needs fo be 
wriffen in order fo confribufe an exfension fo fhe IDE. To puf if anofher way, fhe RCP API is very wide 
and fhe Overfure Eclipse Exfensions summarise a porfion of if, fhus giving developers faster access fo 
the functionality at the cost of some flexibility. However, the Overture extensions are fully interoperable 
with the RCP so any other extension that requires direct access to the RCP can still be used. 

There are other frameworks similar to the Overture extensions in the Eclipse project, such as the 
Dynamic Eanguages Toolkit (DETK) and Xtext ll45l . DETK is designed to support the implementa¬ 
tion of IDEs for dynamic programming languages and Xtext is designed to support the implementation 
of IDEs for for Domain-Specific Eanguages (DSEs) or small programming languages. Neifher frame¬ 
work is particularly suifable for VDM - VDM is similar in nofafion fo a sfafically fyped general-purpose 
programming language - which was fhe original largel language fo be supporfed by fhe Overfure IDE. 

Broadly speaking, fhe Overfure Eclipse exfensions can be divided info fhree groups: 

• a sef of Ul elements for editors, launch configurations, efc. fhaf inferacf direcfly wifh fhe Eclipse 
RCP. 

• a sef of project elements that represent the PM model and associated concepts such as source units, 
according to the Eclipse project model. Also included are connectors and providers for accessing 
these various entities from within the IDE. 

• a set of builders that interact with the language core in order to process language sources to con¬ 
struct an internal representation of the model and load it into the project elements. 

Both the builders and the project elements are developed according to standard Eclipse conventions 
so that new versions of these packages for other notations may be contributed. 

Currently, the Overture Platform primarily supports the Overture IDE. The Overture IDE is com¬ 
prised of Eclipse plug-ins that use components implemented with the language core to perform analysis 
of the VDM AST and Ul components that wrap the analysis and use the Eclipse extensions to implement 
the interaction with the user. 
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3 Extension Principles of the Overture Language Core 


The basic principles of extensibility in the Overture language core are related to the generation of ASTs 
from specification files, similar to parser generators like SableCC EOll . In addition to generating the 
classes representing the tree structure, it is important to generate auxiliary machinery to allow developers 
to implement analysis of the AST in a consistent manner. 

The main way to construct extensions in the language core is by extending the AST. Generally 
speaking, an AST is extended by adding new subtrees that are either entirely new or that contain some 
existing base nodes. In addition, the extended tree needs to reuse the existing base node classes wherever 
possible. 

In addition to extending the tree itself, it is important to also extend the analysis machinery. Partic¬ 
ularly, this extended machinery needs to be able to analyse trees made up of extension and base nodes. 
Furthermore, the extended analysis machinery needs to reuse the base machinery when processing base 
nodes - this is essential for achieving reuse of functionalities already implemented as base analysis. 

Whether speaking of a tree made of only extension nodes or a hybrid tree with extension and base 
nodes or even a base tree, the AST classes have a limited ability to enforce the structure of each particular 
instantiation of the tree. It is the syntax of the language, as encoded in the parser, that ultimately controls 
which trees are admissible. Along the same lines, it is the parser that controls which base nodes are 
reused when constructing hybrid trees as the extended tree specification can only set an upper limit on 
this. 

The extensibility principles of the Overture language core are primarily realised through the AstCre- 
ator tool. AstCreator provides provides an automated way of generating trees and auxiliary machinery 
from specification files as shown in fig. The fool is capable of taking an existing AST as well as an 
extension specification and generating the extension nodes and visitor framework upon which to imple¬ 
ment analyses0Both nodes and visitors are aware of the base classes thus ensuring interoperability with 
the base trees. 


It is also possible to use AstCreator to build a completely new AST supporting a language that is 
unrelated to VDM (see section 4.1 for an example). In this case, a new base tree and visitor framework 
will be produced and it will not be possible to reuse existing components of the language core. As such, 
we focus on the case where the new language being supported is an extension of an existing notation 
where it is possible to reuse parts of the base AST, and the corresponding analysis. Typically, constructs 
like arithmetic or logical expressions or imperative statements can be reused. This leads to hybrid trees 
where nodes from the base and extended trees are blended together. 


The semantics of such a language extension should be implemented as various AST analyses such as 
type checking or interpretation. Each analysis should be implemented as an independent component that 
processes the tree in a consistent way. The visitor framework that is generated as part of the extension 
provides a way to achieve this. Since the visitor framework itself is extension-aware it enables selective 
and controlled reuse of existing base analyses as necessary. The extension-aware visitor is illustrated in 

fig- El 

An example of these extension principles at work can be seen in the Symphony IDE, as described in 
section 


^AstCreator is also capable taking a base and extension specification and producing both sets of classes, though this is done 
less frequently. 
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Description 


Figure 3: Extending AST specifications. 

4 Functionality extensions 

New functionality can be contributed in the Overture platform either by using the language core, the 
Eclipse extensions or a combination thereof. The language core provides the necessary mechanisms 
to interact with the AST as well as extending it, whereas the Eclipse extensions provide the means to 
expose functionality to the user. In this section, we provide examples of how both can be used to add 
new functionality to Overture. 

4.1 The code generation platform 

The code generation platform aims to facilitate integration of VDM code generators into Overture with 
minimum effort ETl . Eike many other Overture components, the code generation platform interacts 
with the language core by analysing a type checked VDM AST in order to generate code in some target 
language. Currently, the code generation platform is used to develop VDM code generation support to 
Java and C++, and in addition, there is ongoing work on generating Isabelle/HOE syntax ifTTI . 

In order to promote reuse the code generation platform works with an Intermediate Representa¬ 
tion (IR) of the generated code, which is independent of any particular target language. In addition, the 
code generation platform provides mechanisms for rewriting or transforming the IR into a semantically 
preserving form that is easier for a particular backend to code generate. Eurthermore, since transfor¬ 
mations work directly on the IR it becomes easier for different backends to use and contribute new 
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Figure 4: Extended AST and analysis. 


functionality to analyse and modify the IR. 

The code generation platform allows new nodes to be added to the IR as well as extending existing 
nodes with additional fields as enabled by AstCreator, which is used for the specification of the IR. The 
Isabelle/HOL code generator exploits this, since mutually recursive functions must be grouped explicitly 
in Isabelle/HOL and therefore the code generator adds function groups to the IR. This is done in a supple¬ 
mentary tree extension file and demonstrates how users of the code generation platform can extend and 
change the IR as needed. Although most of the work involved in developing code generation support in¬ 
cludes traversing and transforming the IR, thus interacting with the language core, the Eclipse extensions 
provide the necessary mechanisms to read preferences and configure the code generation process. 

4.2 Interpreting implicit specifications using ProB 

In VDM functions and operations can be either explicitly or implicitly (using pre and post conditions) 
defined. An explicit description defines how the output is obtained from the input, which enables the 
description to be evaluated directly in the VDM interpreter |[3^ . Implicit descriptions, on the other 
hand, only specify the constraints that must be met but without defining how the output is obtained. 
Therefore, attempting to evaluate an implicit description in the interpreter yields a runtime error. To 
avoid restricting analysis of implicit descriptions to static analysis only. Overture has recently integrated 
the ProB constraint solver in order to enable evaluation of implicit descriptions 

Interpretation of implicit descriptions adds an additional step to the model execution where the pre 
and post state as well as the constraints imposed by the implicit description, is converted to ProB syntax 
to form a formula, which is submitted to the ProB constraint solver. This formula is constructed as a 
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string by analysing the type checked AST. 

If ProB is able to find a solution to the given problem the solution is converted back to VDM format 
and used throughout subsequent execution of the model. Intercepting the interpretation of implicit de¬ 
scriptions is primarily enabled through extension of the language core, and interacting with ProB via an 
external Java API. 


4.3 VDMTools integration 

VDMTools IITtI is an industrial strength IDE, maintained by the SCSK corporation, for analysing models 
written in VDM. Among many features also supported by Overture, VDMTools provides extensive 
semantic checking, execution and Java/C-i-i- code generation of models written in VDM. To facilitate 
use of different IDEs, Overture provides an option to export an Overture VDM project to a VDMTools 
compatible format. This plugin is developed through the Eclipse extensions that are used to convert meta 
data from an Overture project to a format compatible with VDMTools. 


4.4 Combinatorial Testing 

Combinatorial Testing (CT) in VDM provides automated generation and execution of a large collection 
of tests as an extension to the language core functionality lOTIl . The addition of CT in Overture has 
trigged several changes to the language core components. Eirst, the AST was extended to support the 
trace nodes. Second, the type checker was updated to support type checking of both traces and generated 
tests. Einally, the interpreter was extended to support trace expansion as well as test execution. 

In addition to extending the language core a CT view has been added to Overture as a new Overture 
Eclipse plugin extension. This plugin serves to provide a convenient way for users to inspect the test 
execution results, filtering large collections of tests in order to obtain a reduced representable subset of 
tests, and re-executing tests individually. 


5 Building a Co-Simulation tool with the Overture Platform 

The Crescendo tool supports collaborative modelling and co-simulation of Cyber Physical Systems 
(CPSs) |[T8l . and has been developed by extending the Overture platofrm. This extension enables co¬ 
simulation between co-models, which are composed of a discrete time model described in the VDM-RT 
language, and a continues time model described using differential equations. The extension is com¬ 
posed of a co-simulation engine that connects an extended version of the VDM interpreter ll^ from the 
Overture tool with the simulator in 20-Sim [!9I]. 

The Crescendo tool primarily extends the Overture platform using ordinary Eclipse extension points 
for: builders, debug related U1 and views. However, it also uses Overture Eclipse extensions for e.g. 
editors, and debugging related components. 

An extension was also made to the language core by extending the VDM interpreter used for evalu¬ 
ating and debugging with two main features: a) the ability to only simulate until a certain time bound, 
and b) the ability to detect when a shared co-simulation variable is accessed. This is necessary in order 
to support co-simulation such that the two simulators can synchronize their time steps. 
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6 Building a new IDE with the Overture Platform 

Thus far, this paper has shown how to contribute extensions to the Overture IDE and how to extend 
existing components to support co-simulation with an external tool. These examples consist of extensions 
that either make very small or no changes to the VDM language, in terms of new syntax, the semantics 
thereof or the concepts introduced. This makes the extensions relatively simple to support in comparison 
to an extension for a new full-blown FM notation, especially considering the wide variety of formal 
notations as well as their associated semantics, paradigms and problem domains. 

It is possible to use the Overture platform to build an IDE for a new notation that shares nothing with 
the VDM language. However, this means that the new IDE will be unable to reuse much of the language 
core since the AST and associated analyses will be entirely different. On the other hand, when building 
an IDE for a notation that reuses or shares parts of VDM, then the relevant parts of the language core can 
be reused. The remainder of this section shows how such reuse was achieved in the construction of the 
Symphony tool Q in the COMPASS EU FP7 Project. Symphony supports the COMPASS Modelling 
Eanguage (CME) notation ll44]| that was introduced in the COMPASS project and combines VDM with 
Communicating Sequential Processes (CSP) ll22l . 

The syntax of CME differs significantly from that of VDM, especially as it relates to the new con¬ 
structs inherited from CSP. As such, it was necessary to construct a parser to recognize CME notation. 
Tools such as ANTER greatly aid in parser construction and Symphony has an ANTER parser 
built from scratch that processes CME sources to construct ASTs that are compliant with the Overture 
language core. 

The static analysis of CME ASTs (type checking and proof obligation generation) significantly reuses 
relevant Overture components iTTOl . In the case of proof obligations, reuse led to reduction in lines of 
code from 2596 to 978 as well as a reduction in duplicate code from 37.2% to 3.1%. In general, any 
existing analysis for VDM was reused whenever possible. A good example lies in the processing of 
VDM expressions inside CSP actions - also an example of hybrid tree processing. 

The validation of CME models could not reuse Overture components so easily since the paradigms 
of CME notation are different from those of VDM. In particular, CME is a process algebra and its 
models are interpreted as sequences of events, as opposed to VDM’s imperative approach based on state 
transformations. 

Due to the difference in paradigms between the languages, significant portions of the Symphony 
interpreter had to be built from scratch. However, in spite of the differences in behaviour, the Symphony 
interpreter still manages to reuse the Overture one for evaluating expressions and reused statements. 

For all cases of reuse in Symphony, the same basic principle applies: the extended analysis processes 
the hybrid tree and when it encounters a base node, it submits the node to its counterpart base analysis, 
with a mechanism in place for the extension to re-assume control and preventing the base analysis from 
hijacking the analysis of the remaining tree. 

Finally, it is important to discuss the underlying semantics of the various analyses as it should be 
ensured that consistent semantics are in place across all components of the tool, lest errors be introduced 
in the overall results due to gaps between the various semantics. In the COMPASS project this was 
addressed by using the Unifying Theories of Programming ll2^ that provides a common framework for 
the various semantic models used in the project. This work eventually led to a mechanisation of a subset 
of CME in Isabelle |[T9l . 

Most functionalities of the Symphony IDE were implemented as Eclipse plug-ins using a combi¬ 
nation of the Overture language core (exported via a counterpart Symphony core) and the Overture 
Eclipse extensions (used to build the main UI components of the Symphony IDE). In addition to 


Luis Diogo Couto et. al. 


23 


its native functionalities, the Symphony IDE also uses its various plug-ins to integrate externals tools 
such as Maude l|5l |6l, Isabelle |[37l (via Isabelle/Eclipse ll24ll '). EORMUEA |[25l . RT-Tester BOll and 
ProB ||34l [35l . The most relevant external tool integrations are shown in fig. Note how this aims at 
following the principle of reusing existing functionality rather than re-developing from scratch. 



Eigure 5: The COMPASS tools 


7 Concluding Remarks and Future Work 

This paper has described the Overture IDE and its underlying platform. We have shown the extensibility 
principles of the platform and demonstrated how they support multiple functional extension plug-ins. 
Eurthermore, we have demonstrated how the platform can support notation extensions and, as such, be 
used as a basis platform by other EM tool builders. The ability to reuse existing functionality and build 
on the work of other teams can help improve the quality of EM tools in general. 

Going forward, there are various potential improvements that can be made to the Overture platform 
and we discuss a few of them here. The first improvement is in terms of the AstCreator tool’s specifi¬ 
cation files. At the moment, AstCreator is only capable of generating the Java code for the AST from 
a fairly simple tree specification file. This is by design. AstCreator does not aim to address issues of 
parsing when tools such as ANTER already do an excellent job of it. However, it may be beneficial to 
integrate AstCreator with parser generators. Either by deriving an AstCreator specification file from the 
parser generator grammar or by creating a stub grammar from the AstCreator specification. 

Another potential improvement lies in making more use of the code generation platform when inte¬ 
grating external tools. Integration with external tools often consists of translating the VDM syntax into 
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that of the external tool and submitting it to the tool as is done for example in the ProB integration. These 
translations are often implemented manually using the visitor framework. However, by using the code 
generation platform, significant gains may be attained in terms of the amount of code that is necessary. 
We are currently undertaking work in this direction and early results are very promising lITTIl . 

The final improvemenf under considerafion is also relafed fo exfernal fool infegrafion, buf is a some- 
whaf open-ended question af fhe momenf. Infegrafion of exfernal fools is currenfly done on a case-by¬ 
case basis. Each exfernal fool is infegrafed in ifs own way wifh entirely handwritten code. While fhe 
synfax franslafion issue may be addressed, fhe invocafion of fhe exfernal fool, passing of dafa fo if and 
collecfion of resulfs is complefely non-sfandardized. This is mosfly a consequence of all exfernal fools 
having differenf ways of accessing fhem. However, af a high-level, mosf exfernal fool inferacfions can be 
reduced fo a general case such as exfernal command invocafion, profocol-based communication or API 
access. If would be beneficial fo have mechanisms in fhe plafform fo help deal wifh each of fhe general 
cases. Anofher alfemafive would be a mefhodological approach where guidelines are produced fo help 
developers implemenf each kind of infegrafion in a consisfenf manner. 
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